7.8
/ 10
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Description
In the Linux kernel, the following vulnerability has been resolved:
net: ena: PHC: Fix potential use-after-free in get_timestamp
Move the phc->active check and resp pointer assignment to after
acquiring the spinlock. Previously, phc->active was checked without
holding the lock, and resp was cached from ena_dev->phc.virt_addr
before the lock was acquired.
If ena_com_phc_destroy() runs between the lockless active check and
the lock acquisition, it sets active=false, releases the lock, frees
the DMA memory, and sets virt_addr=NULL. The get_timestamp path would
then read a NULL virt_addr and dereference it.
With both the active check and the pointer read under the lock,
destroy cannot free the memory while get_timestamp is using it.
net: ena: PHC: Fix potential use-after-free in get_timestamp
Move the phc->active check and resp pointer assignment to after
acquiring the spinlock. Previously, phc->active was checked without
holding the lock, and resp was cached from ena_dev->phc.virt_addr
before the lock was acquired.
If ena_com_phc_destroy() runs between the lockless active check and
the lock acquisition, it sets active=false, releases the lock, frees
the DMA memory, and sets virt_addr=NULL. The get_timestamp path would
then read a NULL virt_addr and dereference it.
With both the active check and the pointer read under the lock,
destroy cannot free the memory while get_timestamp is using it.
Basic Information
ID
CVE-2026-52971
Source
Linux
Published
Jun 24, 2026 at 16:28
Modified
Jun 28, 2026 at 06:37
Affected Product
Vendor
Linux
Product
Linux
Version
e0ea34158ee8c4f7536cd781010339ff28c0d24c
Affected Versions
Linux Linux e0ea34158ee8c4f7536cd781010339ff28c0d24c
Linux Linux e0ea34158ee8c4f7536cd781010339ff28c0d24c
Linux Linux e0ea34158ee8c4f7536cd781010339ff28c0d24c
Linux Linux 6.17
Linux Linux e0ea34158ee8c4f7536cd781010339ff28c0d24c
Linux Linux e0ea34158ee8c4f7536cd781010339ff28c0d24c
Linux Linux 6.17